Phorum 5.2.11 Release Candidate 1 released! SECURITY FIXES (1 reply) at Your vBulletin Resource The Staff Lounge

You are here: Home » Announcements » Phorum 5.2.11 Release Candidate 1 released! SECURITY FIXES (1 reply)

Phorum 5.2.11 Release Candidate 1 released! SECURITY FIXES (1 reply)

649 Views Published 1 year, 4 months ago in Announcements, Phorum

The first release candidate of Phorum-5.2.11 has been released today.
Its a bugfix release fixing a couple of issues unfortunately also a couple of security related issues, most of them being CSRF (also noted on Secunia).

Even though its a security release there have been A LOT of changes in the core to fix those and therefore we want to have a release candidate first.

As usual this release can be downloaded from our downloads page (development releases).

Please let us know any issues you might encounter with this version so the final release of 5.2.11 can be as bug-free as possible.

This is the excerpt from the changelog:

2009-04-22 09:12  ts77
	* additional CSRF protection in the admin. Now a new token is
	  generated when accessing the admin without a valid token in the
	  url. This token is timed out after 15 minutes and requires manual
	  click to continue.

   2009-04-21 09:19  mmakaay
	* Fix for #844: avoid the use of addslashes() for SQL escaping in
	  the Spam Hurdles module in favor of phorum_db_interact(), so other
	  database layers can be developed. Thanks to Radium Kolar for
	  noticing.

   2009-04-17 08:53  ts77
	* corrected message after posting in a moderatored forum, removing a
	  warning (fixing #845, thanks to Dready)

   2009-04-14 13:35  mmakaay
	* Fixed #843: No need to have images/* in the distro sanity check as
	  critical files, so I removed them from the file list. Thanks to
	  Mathias for the idea. While I was at it, I updated the distro
	  sanity check script to include new core distribution files in the
	  distro list.

   2009-04-13 23:03  mmakaay
	* Fix for #840: make database "charset" config parameter database
	  layer independant, by putting the check in the db layer sanity
	  check function instead of directly in the database sanity check
	  script. This makes it possible to ignore the charset configuration
	  parameter for database layers that do not require this parameter.

   2009-04-13 10:50  mmakaay
	* Fixed XSS issues from #841. Thanks to cicatriz for reporting them.

   2009-04-13 10:13  mmakaay
	* Fixed #842: make Spam Hurdles module database table name db layer
	  independent.

   2009-03-22 09:58  ts77
	* added support for custom headers to the mail functions and the
	  smtp-mail module, fixed message-id usage in smtp-mail module

   2009-03-20 11:51  mmakaay
	* Some fixes for doc generation.

   2009-03-15 11:13  ts77
	* fixed APC cache-layer (#782, thanks to hcgtv for the report)

   2009-03-14 05:01  brian
	* Added post form confirmation into message deletion process to
	  protect against CSRF attacks

   2009-03-14 01:44  ts77
	* Made allowed redirection URLs for the login a setting in general
	  settings (defaults to localhost and the phorum-url) and fixing
	  with it an "Arbitrary Redirection Vulnerability" reported by
	  Andrew Paterson

   2009-03-13 16:39  mmakaay
	* Implemented a new hook "css_filter" that can be used for
	  post-processing Phorum's CSS code (e.g. compression of the code).

   2009-03-11 01:14  mmakaay
	* Added a layer of protection against CSRF (Cross Site Request
	  Forgery) attacks. Thanks to WHK for notifying us about the
	  possible issues.

   2009-03-11 00:42  mmakaay
	* Fixed a possible XSS issue in the Spam Hurdles module. Thanks to
	  Andrew Paterson for notifying us about the issue.

   2009-03-10 00:03  mmakaay
	* Implemented a new hook "get_template_file", which can be used to
	  influence the phorum_get_template_file() function. The name of the
	  template to load can be updated (e.g. to change "index_new" to
	  "yourmod::index_new") and the template source file to use can be
	  returned (e.g. to tell Phorum that the "pm" template has to be
	  handled by a custom script named
	  "./mods/yourmod/pm_page_handler.php").

   2009-03-06 17:40  brian
	* Fixing XSS issue in control.php

   2009-02-18 17:08  ts77
	* added after_merge / after_split hooks for acting on thread
	  split/merge actions (fixing #828, thanks to so at
	  deluxe-design.at)

   2009-02-18 16:41  ts77
	* moved pm_message array out of the condition to have the data
	  available to the pm_sent hook in any case (fixing #827, thanks to
	  so at deluxe-design.at)

   2009-02-18 16:16  ts77
	* (re-)added storing the user_id for message attachments, fixing
	  #822

   2009-02-01 19:30  mmakaay
	* Fix for #892: mb_substr() replacement function contained a typo.
	  No big impact. The replacement function was not yet in use in core
	  code. Only the smtp_mail module calls mb_substr(). Thanks to
	  r.wetzlmayr for reporting the error!

   2009-01-28 19:41  mmakaay
	* Fixed the BBcode parser for some old PHP systems. A problem in PHP
	  caused the parser to not parse any BBcode tags. # The PHP problem
	  was that the "\0" in a string was seen as a filled # character
	  position. E.g. with $a="b", isset($a[1]) would yield TRUE. # This
	  threw of the bbcode parse tree generator.

One Response to “Phorum 5.2.11 Release Candidate 1 released! SECURITY FIXES (1 reply)”

View Original View Source Feed for this Entry Trackback Address

1 doubroriAri May 2nd, 2009 at 4:50 am

I have tried sevral over-the-counter teeth whitening products but have not found one that works well.

Does anyone have any advise or experience with some of the products offered online? I prefer using a paste solution instead of the strips.

Thanks in advance…